Session quotas
AM lets you limit the number of active sessions for a user by setting session quotas. Use this feature, for example, to prevent a user from logging in from more than two devices at once, mitigating scenarios where user passwords may have been compromised.
AM’s support for session quotas requires server-side sessions.
Configure session quotas and exhaustion actions
The session quota applies to all sessions opened for the same user (as represented by the user’s universal identifier). To configure session quotas and exhaustion in AM, perform the following steps:
-
In the AM admin UI, go to Configure > Global Services > Sessions > Session Quotas.
-
From the Enable Quota Constraints drop-down menu, choose
ON
. -
On the Set Resulting behavior if session quota exhausted property, set one of the following values:
DENY_ACCESS
-
Deny access, preventing the user from creating an additional session.
DESTROY_NEXT_EXPIRING
-
Remove the next session to expire, and create a new session for the user. The next session to expire is the session with the minimum time left until expiration.
This is the default setting.
DESTROY_OLDEST_SESSION
-
Remove the oldest session, and create a new session for the user.
DESTROY_OLD_SESSIONS
-
Remove all existing sessions, and create a new session for the user.
If none of these session quota exhaustion actions fit your deployment, you can implement a custom session quota exhaustion action. For an example, refer to Customize server-side session quota exhaustion actions.
-
Go to Realms > Realm Name > Services > Session.
-
On the Set Active User Sessions property, configure the maximum number of concurrent sessions a user can have.
Note that you can also change this setting globally for the AM site in Configure > Sessions > Dynamic Attributes.
-
Click Save Changes.